Intro

Milkomeda is a protocol that brings rollups and EVM capabilities to non-EVM L1 ecosystems. Milkomeda enables users on Cardano and Algorand to transact on a sidechain where users can write and deploy contracts written in Solidity. The team continues to integrate new L1s and add new features to their protocol.

Challenge

Milkomeda aims to deliver rollup technologies and interoperability to L1 ecosystems. Launching a successful L2 means launching secure components on the first try. L1 users need to have confidence that their funds are safe on a sidechain. The Milkomeda team has faced challenges at odds with launching a successful L2 network.

Bridge smart contracts are notoriously sensitive components in L2 ecosystems. In 2022 alone, nearly $2.5B was stolen in bridge-related hacks, and that number continues to increase on almost a monthly basis. In order for an L2 to be trusted, the bridge contracts must be thoroughly analyzed for vulnerabilities. For users to trust Milkomeda, and to ensure their funds remain safe on the sidechain, the bridge code must be carefully written and reviewed for security vulnerabilities.

For rollups, offchain components are needed to post transaction data back to the L1 chain. It is critical that these offchain systems are secure so transactions can be posted from L2 to L1, and so malicious actors cannot grief the network. Denial of service attacks would be particularly devastating to a sidechain network, so identifying these ahead of time is critical for a successful launch.

Milkomeda searched for a security partner with the expertise to evaluate all of these systems. Not only did the partner need to be versed in Solidity to review the on-chain components, but they needed to possess expertise in traditional software systems to evaluate the off-chain components.

Solution

Many of the challenges the Milkomeda ecosystem faced stemmed from whether their components were secure. Third-party audits gave the Milkomeda team the opportunity to have security experts evaluate the protocol and make recommendations for better security. Arbitrary Execution was one of the organizations selected to perform these audits.

AE performed multiple audits for Milkomeda, focusing on different system components including the sidechain bridge smart contracts, the Algorand rollup service, and other components still under development. These audits focused on finding exploitable vulnerabilities in the protocol. AE’s security researchers reviewed the smart contracts and rollup service code, splitting effort between manual review and automated analysis.

Results

Audits of Milkomeda protocol components resulted in a total of 58 findings, ranging in severity from informational to critical. Four of these findings were marked as critical severity, meaning they described vulnerabilities whose exploitation could result in catastrophic damage to the protocol and its reputation. Identifying these vulnerabilities and guiding their remediation has made the Milkomeda protocol more secure. On top of code security, public audits help build user confidence in the protocol. Today, Milkomeda successfully manages L2 networks for Cardano and Algorand, with over $3M total value locked (TVL).